Cybercriminals turn legitimate apps into gold mines: Are you a victim?
Experts warn of a trend of attacks targeting mobile phone users in the Asia region, including Vietnam.
Overview
Recently, a sophisticated attack campaign is spreading in the Asia-Pacific region, including Vietnam, directly targeting banking users and financial applications. Instead of creating fake applications like traditional phishing campaigns, the GoldFactory cybercriminal group applies a new technique: inserting malicious code into legitimate applications, turning the user's familiar software into a tool to steal data and take over accounts.
According to Group-IB analysis, dozens of banking applications in the region have been edited and redistributed through unofficial channels, mainly through messages and calls impersonating state agencies, public services or banks. Once the victim installs it, the malware silently operates, secretly monitoring the screen, collecting passwords, OTPs, personal information and allowing the crooks to remotely control the device.
The campaign demonstrates the high level of expertise of cyber criminals, as they use legitimate tools such as Frida and Dobby to deeply interfere with applications and bypass many layers of security controls. With the number of victims increasing rapidly in many countries, including Vietnam, this threat poses an urgent need to strengthen security monitoring, raise user awareness and tighten the application distribution process of financial institutions.
A few words about GoldFactory
Who is GoldFactory?
GoldFactory được xác định là một nhóm tội phạm mạng (threat actor), chúng hoạt động chủ yếu ở khu vực Asia-Pacific (APAC). Theo các nhà nghiên cứu thì GoldFactory có cấu trúc tương đối “chuyên nghiệp”: gồm cả đội phát triển phần mềm độc hại (malware) và đội “vận hành - triển khai” (ops / social-engineering & distribution), nhằm tấn công vào các thị trường đa quốc gia cũng như các tổ chức tài chính ngân hàng.
History of the group
GoldFactory first became known around mid-2023 when the first variant of the malware was GoldDigger. Some time later, GoldFactory quickly expanded its malware portfolio: including variants such as GoldDiggerPlus, GoldKefu, and especially GoldPickaxe (Android + iOS).
Starting around late 2024 and early 2025, GoldFactory's campaigns were discovered in many countries: initially Thailand, then spreading to Vietnam. By mid-2025, the activities will be more widespread, especially in Indonesia with hundreds of banking applications being "injected" with malware and thousands of infected devices.
Attack method
As analyzed above, GoldFactory will not use common "fake apps", but instead will use much more sophisticated tactics:
The hacker group will decompile (access the source code or logic of the original app) the official banking applications, insert malicious code and re-compile, thereby creating "modified" versions of the app (modified banking apps), still maintaining normal functions so that users do not become suspicious.
When users install and run the app, malicious code will "hook" (interfere) with the runtime and change logic, interfere with security processes, pass integrity checks, hide installation sources, and hide services.
From the above factors, the app will still operate normally, making detection from users or normal security very difficult, but behind the scenes, attackers can: record screen, keystrokes, manipulate UI, track operations, steal passwords / OTP / sessions / cookies / sensitive information.
GoldFactory tools used
GoldDigger: Android banking Trojan - takes advantage of Accessibility Service to control and obtain account information.
GoldDiggerPlus + GoldKefu: Expansion version - adds the ability to use "fake web" (fake interface) to capture passwords, pop up fake bank alerts, and can make real phone calls to trick victims.
GoldPickaxe (Android & iOS): Advanced malware - collects biometric data (face), photo/ID scan, SMS, traffic; used to create deepfake, gain bank access.
Injected banking apps (modded apps): The official Bank-app is injected with malicious code to maintain normal functions but hides malware inside - easy to trick users.
Hook frameworks / backdoor tools: Used to hook runtime, bypass security, maintain stealth, remote control, hide malware.
Campaign details
Initial infection process
As mentioned above, GoldFactory is mainly targeting users in Vietnam and Indonesia. For example, in Vietnam, they continuously use trusted Apps or government Apps to carry out their actions, including impersonating Vietnam Electricity Group (national electricity supplier), Provincial Health Departments, National Public Service Portal and Ministry of Public Security. Here they will pretend to be employees of the Electricity Corporation and contact the victim by phone, claiming that the electricity bill is overdue.
During the call, the victim was asked to add the scammer on Zalo to receive further instructions for downloading the mobile application. The scammers then warn that failure to install the app and link their accounts as directed will result in the victim's electric service being immediately suspended. This tactic takes advantage of fear and urgency to force victims to comply.
The hacker group then sent the victim a link that looked like a legitimate Google Play page but was delivered as an APK file. Once the download is complete, the app prompts the victim to enable all necessary permissions on their device.
Sometimes they target owners of food and beverage businesses. Here, scammers called business owners pretending to be Department of Health officials, then requested to connect via the social networking platform Zalo. They said that the Department's inspection team will soon come to monitor compliance with food hygiene and safety.
After establishing contact, the scammer sent fake documents via Zalo, impersonating official notices and decisions supposedly issued by the Department of Health. These documents include fake notices about the establishment of inspection and supervision teams for food businesses in the city. Victims are then instructed to visit a malicious website to download the app and submit their information.
These malicious applications are all stored by the attack group on 2 domains: ykkadm[.]icu and dgpyynxzb[.]com
Activation process
As mentioned before, GoldFactory works on the principle of inserting malicious code into a part of the application, allowing the original application to retain normal functionality, and these malicious components will launch first and then return normal permissions to the application to execute as normal. The tasks of the main functions in this malicious code are:
Hide the list of apps that have Accessibility Services enabled.
Prevent screencast detection.
Forging the signature of an Android application.
Hide installation source.
Implement custom integrity token providers.
Get the victim's account balance.
First after installation an application named FriHook will be executed with the aim of bypassing integrity checks and hiding malicious activity on infected devices.
One thing worth noting about this app is that it returns legitimate signature information, making the app believe that the APK is signed with a valid release certificate and not a Debug certificate. This allows the application to pass signature-based integrity checks.
Even in these early steps, the malicious code also established connections to the C2 server to remotely control the device as well as collect information and notifications. All of this data is sent to wm.b-ty.com via Port 8080.
After having enough information, the attacker can use remote access (WebRTC, backdoor) to view the screen and control the UI. Even more worrisome is that they can perform money transfers, enable transactions via fake UI, or export data to use for deepfake/authentication spoofing.
Conclude
GoldFactory's campaign shows that cybercriminals are entering a new phase, much more sophisticated and dangerous than previous forms of mobile fraud. The campaign is no longer just about creating crude fake apps, but instead APT groups directly interfere with legitimate applications, allowing them to bypass almost all normal user defenses, posing a great challenge for both individuals and financial institutions.
When malicious code has the ability to collect biometric data, remotely control devices, spoof banking interfaces and steal OTPs in real time, the line between "normal app use" and "being hacked" becomes extremely thin. Thousands of victims in many countries, including Vietnam, are a clear warning that the trend of financial crimes is changing towards tweaking legitimate applications to turn them into attack weapons.
Ultimately, GoldFactory's campaign is an important reminder that mobile security is no longer a purely technical issue, but a constant race between criminals and Cyber Security surveillance experts. Only when users, businesses and authorities act together can we close the gap and minimize the damage from increasingly sophisticated attack campaigns like this.
Recommended
Absolutely do not install APK from external links
All variants of GoldFactory require users to install the app from a strange link (sideload), not through Google Play or the App Store.
Even if the link looks "real" (fake page of a state agency, public service application), it must still be considered risky.
Do not grant Accessibility/overlay permissions to unfamiliar apps
When the application requests strange permissions → stop.
Go to Settings → Accessibility to see which app has unusual permissions.
Do not send photos of ID cards/ID cards or verification videos via the link
GoldFactory collects identity + face documents to:
Make deepfake.
Register for a financial account.
Impersonating unsecured loans.
That's why absolutely no information is provided
Be wary of the following content (high-risk)
Message "cold fine - debt lookup - CCCD update - receive benefits".
Calling the police, court, or bank claiming to be asking to install the app.
The website has a strange domain name, similar to the government (for example: gov-vn[.]top).
Check the device periodically
See if there are any strange apps.
Check the permissions list.
Change the password if you suspect the device is controlled.
IOC
Hash
d3752e85216f46b76aaf3bc3f219b6bf7745fe0195076e991cf29dcc65f09723
4b6211de6a9b8b780537f4d0dcac7f5ba29af597b4b416d7ad40dbd5e6d3e360
d75ca4b69e3ad9a6f2f4168f5713a049c310fee62ee0bba037ba4c24174d25c4
d47246c9bd4961f692cef6e3d8cdc5aa5f64e16946104cc9c194eb47077fd897
0de69fad50b9e0800ba0120fe2b2f7ebb414e1ae335149a77dae3544b0a46139
68fb18d67bb2314ff70a0fb42e05c40463cceb9657c62682179e62809429ad99
9ada0f54f0eaa0349c63759172848fcb1dd123d892ece8d74002f96d6f095a43
4eb7a289af4ea7c65c4926e4b5e2c9ec3fb4d0b9cc425f704b7d1634c23a03a9
Domain
ykkadm[.]icu
ynsftkg[.]top
dgpyynxzb[.]com
b-ty[.]com
www.vvpolo[.]top
baknx[.]xyz
nxbcak[.]xyz
zoyee[.]cn
evnspccskh[.]com
IP
47.236.246[.]131
47.237.9[.]119
13.214.19[.]168
18.140.4[.]4
